I thought telcos could benefit if I shared my interview with a SIMboxer, or, more precisely, a former SIMboxer. I’ve been aware of SIMboxing since 2002, and was involved in legal proceedings with one major SIMbox enterprise from 2003 to 2013, when their final appeal was thrown out by the European Court of Justice. I’ve been learning about SIMboxing all that time, so why would I want to talk to a former SIMboxer? Well, first, nobody knows everything. Second, much of the telco ‘knowledge’ is second-hand or inferred – is what you ‘know’ accurate? One option is to verify your data at source, so that’s why I took the opportunity to talk with ‘Dan’, the SIMbox man.
I’ve considered the possibility that this article may be criticised by operators who think it will educate SIMboxers – well guys, they already understand SIMboxing; it’s the telcos that need to learn more.
Dan grew up in a remote part of Eastern Europe. He was lucky that his father worked in a University so from age 5 or 6, Dan had access to computers. Like many others in the early days, he became a geek (maybe now he would have become a gamer) and developed an addiction to computers, often missing school because he was coding or hacking.
He studied Mathematics for 2 years then changed subject and eventually dropped out of Higher Education. Like everyone else, Dan needed to earn money and his came from running a telemarketing service, delivering a billion pre-recorded marketing calls. This was his first exposure to VoIP. After 2 years he started working with international calls and developed a capability to terminate international calls using local analogue fixed lines.
Entering the Telecoms market
When Dan moved to another country he looked at telecoms as a means of earning money, especially when he found a demand for cheap international termination. In 2009/10, he delivered bypass traffic via Huawei USB sticks which supported one channel for about USD20; he had 100 SIMs working non-stop for 1-2 years before the carrier started to introduce fraud controls. Rather than being the end of the road, this was a challenge that just made Dan’s business more interesting. He recognised at about this time that playing the game effectively needed real SIMboxes for volume and he started running SIMboxes with 1,000 SIMs.
Down to Business
I asked Dan how he chose his routes and he said it was simply driven by rates. Because of all the traffic we’ve seen going to Cuba, it was interesting that Dan mentioned Cuba as an exception. Cuba is a no-go because it’s controlled by the army – the only way you can work there is to have your equipment in embassies.
Africa was initially successful but the business model was affected by pre-paid registration – it’s still possible to get around it, but you really need a local contact and/or a company insider. Basically, for Dan it was not worth the effort – too much time was wasted when there were better opportunities. His business model led him to work on termination where the rate was 12 cents or more and this provided him a net profit of USD 1-4,000 per day.
Dan says he spent 6-12 months preparing a new route. To avoid detection, there is a need to make SIMbox SIMs look like a human user, so you need to research normal usage in that market. For example, in some markets, it is normal for 60% of usage to be WhatsApp or Viber, and successful SIMboxers understand that excessive minutes on regular voice routes can be a detection trigger. If you can’t simulate ‘normal’ it can be a big financial hit when your 1,000 x USD20 SIMs are blocked after 5 minutes. It may need an investment of USD 15-20k to optimise a SIMbox operation. In some countries, it is difficult to import SIMbox equipment and, dependent on other factors, this could be a barrier to entering that market.
Operationally, systems need 24-hour monitoring, so you need teams of people. One of the problems for SIMbox operators is that their ‘employees’ steal the process, buy their own equipment and set up their own operations. Dan’s solution to this aspect of the business was to automate and he wrote thousands of scripts to support the process and minimise manual interventions – because he retained control of the critical processes, that meant less work for him.
This is the main objective, after all. But, today, you can’t put tens of thousands of dollars into a personal bank account without people asking questions, so you need a company account. And since the telco transit companies are set up offshore, your company and bank account might as well be offshore too; you also get the added benefits of zero reporting and zero taxation.
In the wholesale telecoms market, operators know what sort of route they are buying when they get a 20-70% discount. The carrier teams play the game and blend grey routes with legitimate terminations. In some cases, there is a conflict within the telco because the carrier team is buying the type of routes that the fraud prevention guys are trying to detect and block. Dan also mentioned situations where one operator within a telco Group was using SIMbox routes to terminate traffic into another company within the same group!
This is often a national or regional issue. In some markets, there are unlimited supplies available from distributors, but buying in bulk carries the inherent risk that the fraud team will block them in bulk. In markets where there is a legal requirement to register SIMs there are adequate supplies available from re-seller kiosks who either do not care about registration or accept false documents and IDs. The other options are to buy from illegal sources which supply pre-registered SIMs or go direct to the telco and pay a bribe for pre-registered SIMs; Dan has seen 1,000 SIMs purchased in a single transaction.
Why Give Up SIMboxing?
Dan reduced his employee risk by handling the core functions, but this meant living what he described as:
11 years, working 24 hours per day on a computer
Nobody in Dan’s organisation got caught, but he began to worry about personal risk to people working for him; those hosting SIMbox equipment in their homes and those buying SIMs and equipment. So, he wound the business down and stopped. Now he’s changed sides and he’s trying to sell his insider knowledge and expertise back to the telcos. Dan knows that SIMboxing has been a major fraud topic for at least 10 years but when he tries to talk to the telcos they tell him they’re using commercial solutions so they’re already protected. How is SIMbox fraud still possible if telcos are protected and, if they are protected, why has SIMboxing remained a top 3 issue for the last 10 years? Something doesn’t add up.
What’s Going Wrong?
Dan has seen vendor reports which have been provided to operators and says it is obvious that SIMbox solutions are not being used properly and he blames the telcos. He may be right, but maybe someone most familiar with a business with only one employee may not appreciate the challenges of change management in a telco.
He also thinks that telcos under-invest in detection and they resent paying USD 3,000 per month, for example, for test call generation (TCG). Telcos say TCG is not efficient enough but Dan disagrees; I’m sure the vendors will love hearing a voice from the other side saying that too many operators do not realise that detection is related to call volume and too few calls reduces detection rates. Dan says part of being a successful SIMbox operator is to evolve every day – the telcos need an equivalent response and they’re just not good enough. The reluctance to invest extends to VoIP bypass, where a telco with a 25¢ interconnect route cannot decide whether to spend $200k on a proven Viber solution.
For me there was a striking contrast between USD3,000 per month for TCG and USD1-4,000 profit per day for the SIMboxer.
Dan cited the arrival of new equipment from a Chinese supplier, GOIP, as a game-changer. It’s cheap, easy to use, non-technical and they also offer outsourced management services including protection against the GSM operator’s anti-fraud systems! Previously, commercial SIMboxes cost USD 30-100k, now they’re available for USD 1,000 – perfect for aspiring entrepreneurs and hobbyist criminals.
However, for me, the most interesting reason Dan gave for failures on SIMboxing was telco corruption. We had already covered the issues of the carrier team knowingly buying bypass routes, distributors supplying SIMs in bulk and logistics corruptly selling pre-registered SIMs, so what else was there? Dan quoted the example of a Head of Fraud, in a country well-known for SIMbox termination, who denied they have SIMboxing. He declined the offer of a free 10-minute demo to prove it and said he was not interested; Dan said he was corrupt. I agreed he may be incompetent and have a closed mind, but that doesn’t make him corrupt. (Note to vendors: what you think is an irresistible free offer may be seen as an admin headache and waste of time by a fraud manager who has already tried something similar without significant benefits).
Dan backed up his opinion with examples. In one example, a carrier VP who was running his own SIMbox operation with the help of a corrupt Head of Fraud Prevention. OK, but are these ‘examples’ where you have personal knowledge of their corruption? Dan then quoted three cases where he paid fraud prevention guys to leave his SIMs running. Maybe you should ask yourself, how much your fraud prevention team is being offered? And would they tell you if you asked them?
If we accept Dan’s story at face value (and what would be his motive for lying?) he is only confirming what some of us already know, that telco corruption supports SIMbox operations. It becomes worrying if you list all the stages in the process where it is occurring:
- False pre-registered SIMs
- Bulk supply of SIMs
- Carrier teams buying discounted bypass termination
- Carrier staff running their own bypass termination
- Fraud prevention staff on the SIMboxer’s payroll
However, there’s one scenario Dan didn’t mention. That is where the corruption occurs in the SIMbox detection vendor. It may be the vendor boosting SIMbox traffic before a proof of concept to inflate the apparent size of the problem and also ensure instant results once the service is commissioned. But it may extend to collaborating with senior staff in the telecoms ministry who are running a bypass business. There may even be people in the vendor organisation running their own bypass business and paying a commission to senior staff in the telecoms ministry.
So, What Now?
I hope every telco CEO asks his/her fraud managers to show them a copy of their SIMbox risk assessment and asks them two questions:
- Have you considered these risks?
- What controls address them?
And you can help us to confirm the potential for fraud by answering this simple anonymous survey question:
If anyone wants to benefit from Dan’s experience, email firstname.lastname@example.org from your telco email and I’ll put you in touch. And if you want to ‘know’ how much your fraud prevention team may be offered, send us your guess and we’ll tell you what Dan was paying.
Very interesting article Dave. Thank you for sharing the discussions you had with Dan. The topic of internal fraud or even fraud within SIM box detection vendors is always a delicate one because it is never correct to make accusations without direct proof. On the flip side, given the volume of indirect proof it would be reckless for a telco to assume that internal fraud could not be causing them substantial revenue loss. This indirect proof includes:
– Confirmation from fraudsters like Dan that he bribes telco staff
– When our test calls detect much higher levels of bypass with SIMs we purchase ourselves compared to the SIMs provided by the telco
– Where operators use our STEALTH mode and see much higher rates of bypass compared to the SIMs and virtual numbers provided by the telco. A description of STEALTH mode can be seen in the Black Swan article on Stealth Test Calls.
Your two questions are exactly the right ones to ask:
– Have you considered these risks?
– What controls address them?
Thanks Paul. You’re right about internal fraud being a sensitive issue – most of us trust our colleagues so the default response is often denial, however, denying that it’s a risk doesn’t solve the problem.
I also think you’ve provided some great supporting evidence. I haven’t heard a credible explanation for the difference in bypass levels between your vendor purchased test SIMs and telco supplied test SIMs and, until I do, I regard internal collusion as the most likely cause. If anyone knows different, then let’s hear it!